Armadillo Detective 1.0

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.
com
/*
-------------------------------------------------------------------
MEPHiST0s - ARMADiLLO DETECTiVE v1.00 for olly script
-------------------------------------------------------------------
tested on Olly Debug v1.1.0, and Olly Script v0.92 on WinXP
-------------------------------------------------------------------
- DETECTS Original Entry Point of most ARMADILLO v3.xx
- DETECTS and REPAIRS Code Splicing.
- DETECTS and REPAIRS Magic IAT jump.
- DETECTS Import Elimination...
- DETECTS Most Armadillo Version infos.
- Allows 1 execution for full working dump file in most cases.
___________________________________________________________________
[DEBUGGING OPTIONS]:
REMOVE ALL Hardware Breakpoints on the Target
Select ALL items in Debugging Options-Exceptions:
ALSO: aDD C000001D(ILLEGAL ISTRUCTION) aND C0000005(ACCESS ViO)
aND C000001E(INVALID LOCK SEQUENCE) in custom exceptions
___________________________________________________________________
*/
var adata
var rdata
var Armadillo_Version
var called
var codesplice
var crcfix
var dbcheck
var debugblock
var Magic_Jump_Location
var impelim
var impelimmem
var impelimmem0
var mem
var mem0
var mem1
var mem2
var Original_Entry_Point
var strcheck
var time
var temp
var VirtualAlloc
gmi eip,MODULEBASE
find $RESULT,#2E6164617461#
mov adata,$RESULT
add adata,0c
mov adata,[adata]
gmi eip,MODULEBASE
add adata,$RESULT
log adata
gmi eip,MODULEBASE
find $RESULT,#2E7264617461#
mov rdata,$RESULT
add rdata,0c
mov rdata,[rdata]
gmi eip,MODULEBASE
add rdata,$RESULT
log rdata
dbh
gpa "OpenMutexA", "kernel32.dll"
mov mem,$RESULT
bp mem
esto
esto
rtr
sti
bc mem
gpa "time", "MSVCRT.dll"
mov time,$RESULT
bp time
mov dbcheck,[eip]
and dbcheck,0000FFFF
cmp dbcheck,0000C085 //checking for debug blocker
je db
jmp csbreak
db:
msg "This File is protected with Armadillo's Debug Blocker Feature or CopyMEM2."
mov debugblock,1
mov eax,1
jmp csbreak
csbreak:
gpa "strchr", "MSVCRT.dll"
mov mem0,$RESULT
bp mem0
esto
cmp mem0,eip
jne lblerror
cmp time,eip // checking for code splicing
je cs
esto
cmp time,eip
je cs
cmp mem0,eip
je iatj
esto
cmp mem0,eip
jne lblerror
jmp iatj
cs:
rtr
sti
find eip,#6A406800100000#
find $RESULT,#8985????????83BD????????0074??#
bp $RESULT
esto
bc $RESULT
cmp $RESULT,eip
jne iatj
mov codesplice,1
msg "This File is protected with Armadillo's Code Splicing Feature."
mov eax,adata
jmp iat1
iat1:
bp mem0
esto
cmp mem0,eip
jne lblerror
bc mem0
rtr
sti
jmp iatmain
iatj:
cmp time,eip
je cs
rtr
sti
mov strcheck,[eip]
and strcheck,00FFFFFF
cmp strcheck,00405959
je iatmain
jmp iatm
iatm:
esto
jmp iatj
iatmain:
bc mem0
mov mem2,eip
find mem2,#FF15????????595985C07511#
mov Magic_Jump_Location,$RESULT
find Magic_Jump_Location,#7511#
mov Magic_Jump_Location,$RESULT
repl Magic_Jump_Location, #7511#, #EB13#, 4
find Magic_Jump_Location,#0F8598000000#
mov temp,$RESULT
repl temp, #0F8598000000#, #90E998000000#, 14
find temp,#83BD????????0074??8B85??#
mov crcfix,$RESULT
bp crcfix
esto
bc crcfix
repl Magic_Jump_Location, #EB13#, #7511#, 4
repl temp, #90E998000000#, #0F8598000000#, 14
find eip,#FFD78BD85F8BC35E5BC3# //find call edi
mov called,$RESULT
gpa "VirtualProtect", "kernel32.dll"
mov impelimmem,$RESULT
bp impelimmem
esto
rtr
sti
find eip,#A1????????8A80????????8885#
mov impelimmem0,$RESULT
bc impelimmem
cmp impelimmem0,eip
je elimination
cmp debugblock,1
je elimloop
jmp na
elimloop:
gpa "VirtualProtect", "kernel32.dll"
mov impelimmem,$RESULT
bp impelimmem
bp called
bc time
esto
cmp called,eip
je finish
esto
rtr
sti
find eip,#A1????????8A80????????8885# //elimination signature
cmp impelimmem0,eip
je elimination
esto
rtr
sti
find eip,#A1????????8A80????????8885#
cmp impelimmem0,eip
je elimination
cmp called,eip
je finish
esto
rtr
sti
find eip,#A1????????8A80????????8885#
cmp impelimmem0,eip
je elimination
cmp called,eip
je finish
esto
rtr
sti
find eip,#A1????????8A80????????8885#
cmp impelimmem0,eip
je elimination
cmp called,eip
je finish
esto
rtr
sti
find eip,#A1????????8A80????????8885#
cmp impelimmem0,eip
je elimination
cmp called,eip
je finish
esto
rtr
sti
find eip,#A1????????8A80????????8885#
cmp impelimmem0,eip
je elimination
bc impelimmem
jmp na
elimination:
msg "This File might be Protected with Armadillo's Import Elimination Feature"
bc impelimmem
mov impelim,1
jmp na
na:
find eip,#FFD78BD85F8BC35E5BC3#
mov called,$RESULT
bp called
cmp called,eip
je finish
esto
cmp called,eip
je finish
esto
cmp called,eip
je finish
esto
cmp called,eip
je finish
esto
cmp called,eip
je finish
jne lblerror
finish:
bc impelimmem
bc called
find called,#61726D56657273696F6E3E??????????????????????????????????????#
find called,#332E??????????????#
mov Armadillo_Version,$RESULT
sti
mov mem,[eip]
and mem,0000FFFF
cmp mem,0000D7FF
je finish
jmp tagx
tagx:
log " "
log " M E P H i S T 0"
log " "
log " ARMADiLLO DETECTiVE v1.00 - FOR olly SCRiPT"
log " "
cmp debugblock,1
je log_db
cmp codesplice,1
je log_cs
cmp impelim,1
je log_impelim
jmp tag1
tag1:
mov Original_Entry_Point,eip
cmt Original_Entry_Point," = Original Entry Point"
log " "
log Original_Entry_Point
jmp tagmain
tagmain:
log " "
log Magic_Jump_Location
log " "
log Armadillo_Version
log " "
log "File is Ready for dumping - Magic Jump Patched - IAT is ready for Rebuildin
g"
bc mem0
bc mem1
bc mem2
bc time
jmp lblw00t
log_cs:
log " "
log " -= ARMADiLLO Code Splicing has BEEN DETECTED - AND REPAIRED =- "
log " "
cmp impelim,1
je log_impelim
jmp tag1
log_impelim:
log " "
log " -= ARMADiLLO Import Elimination has BEEN DETECTED =- "
log " "
jmp tag1
log_db:
log " "
log " -= ARMADiLLO Debug Blocker has BEEN DETECTED - AND REPAIRED =- "
log " "
cmp codesplice,1
je log_cs
cmp impelim,1
je log_impelim
jmp tag1
lblw00t:
msg "Found the OEP - You can now DUMP the target file - IAT Magic JUMP is Patche
d: IAT is READY for REBUILDING: Please Check the LOG Window"
ret
lblerror:
msg "Errors Have Occured, Please Check LOG. the File might be protected with Cop
ymem2, or hardware breakpoints may exsist"
ret
// [BACK]

Armadillo Detective 1.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Armadillo Detective 1.0

Uploaded by

Copyright:

Available Formats

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.

You might also like